Technology

Baltimore Held Hostage in 2nd Ransomware Attack | Malware

Baltimore officials have admitted that the city government once again has been victimized by ransomware -- the second such attack that Baltimore has faced in just over a year.

City computers were
infected with the RobinHood ransomware virus, The Baltimore Sun reported. Hackers told city officials that they would unlock the computers in return for payment of three bitcoins per system, or 13 bitcoins for the entire
system. Based on the current exchange rate the ransom added up to
about US$17,600 per computer or $76,280 for the system.

The hackers gave officials four days to pay or the
ransom price would increase. They threatened to render the systems' data irretrievable after 10 days. In addition, the hackers warned the city not to contact the FBI.

Bernard Young, Baltimore's new mayor, said on social media that
the city's essential services were still running, and that there was no evidence that any personal information had been compromised, as of Tuesday afternoon.

"Baltimore City core essential services (police, fire, EMS and 311)
are still operational, but it has been determined that the city's
network has been infected with a ransomware virus," Mayor Young
tweeted on Tuesday afternoon. "City employees are working diligently
to determine the source and extent of the infection."

As a precaution, the city did shut down the majority of its servers, the
mayor added.

Quick Response

City officials were directed to disconnect their computers from the
Internet completely, as the virus was spreading from
computer to computer. Employees reportedly were directed to unplug the
Ethernet cable from computers and to turn off any connected divisions.

The essential services remained operational, but other services have
been disrupted, including the ability to discuss billing issues or
make online payments, notably for water bills. As a result, the
Baltimore Department of Public Works (DPW) announced via social media
that it would suspend late water bill fees for both city and countycustomers.

The Baltimore City Department of Transportation announced that
two impound lots and its Right of Way Services Division also were affected
by the computer network outage.

The problem largely was contained by Tuesday afternoon, and city teams
were able to quarantine the ransomware, but it by Wednesday it was still unclear when affected systems could be back online. The FBI's cybersquad has been assisting Baltimore with its recovery efforts.

Deja Vu All Over Again

What makes Tuesday's attack unique is that Baltimore faced a similar
attack last year. That one was more damaging, resulting in the temporary shutdown of
automated dispatches for 911 and 311 calls.

"This event tells us that such attacks are on the rise, so much as it
tells us that sensible practices are in decline -- at least in
Baltimore," warned Jim Purtilo, associate professor in the computer
science department at
University of Maryland.

"There is no good way to say this: Two crippling attacks in a year is
just pathetic," he told TechNewsWorld.

Baltimore isn't the only target of such attacks, of course. Atlanta last year fell
victim to the SamSam ransomware, which disrupted city
government operations and functions for a considerable period of time.

The Department of Justice last fall indicted two Iranian men last November for
deploying that virus, whose victims included the city of Newark, New Jersey, as well as
the Port of San Diego and the Colorado Department of Transportation.

"Bad actors have no doubt put the 89,000 local governments across the
country in their cross-hairs," said Mike Bittner, digital
security and operations manager at
The Media Trust.

"These local governments make ideal targets, because they collect and
process a lot of citizen and business information, and their tight
budgets prevent them from making much-needed IT security updates,"
he told TechNewsWorld. "For these city governments, getting
hacked is not a matter of if but when."

Soft Targets

Government offices -- from the federal to the local level -- typically don't replace computer systems as frequently as corporations or individuals. Many of them rely on outdated systems, which makes them a soft target for hackers, who typically use a well-read playbook in these attacks.

"As long as individuals can be manipulated -- via social
engineering or phishing -- and older, unpatched software and weak perimeter
security exists, these attacks will continue with 100 percent
certainty," said David P. Vergara, director of product marketing at
Chicago-based cybersecurity firm
OneSpan.

"It's not reasonable that these attacks will be eliminated; however,
for businesses and organizations to reduce their threat exposure they
should take [appropriate] actions," he told TechNewsWorld.

It's important that they full understand that these attacks can happen,
and that they are costly and complex to resolve.

To address the issue effectively, there needs to be proper investment in preventive
security measures, added Vergara.

"Initiate mandatory and ongoing employee training on phishing, vishing
(voicemail phishing scams) and related social engineering designed to
obtain personal or business information to refine attacks or trick
them into installing malware," he recommended.

In addition, companies and government agencies at all levels should
maintain perimeter security software and
infrastructure, and regularly test it. They also should leverage content filtering on mail servers to block suspicious or malicious attachments.

"Make sure that all systems and software are up-to-date," said Vergara.
"This is an easy one -- yet still overlooked by many businesses and organizations."

Bad Practices Are Good News for Hackers

Of all the types of cyberattacks in circulation, ransomware presents the
most challenges, but it should be easy to recover from with due diligence applied beforehand.

"If you back up your files, you won't need to negotiate or make
payments to cyberthugs," said The Media Trust's Bittner.

Local governments, just like corporations and individuals, need to do a
better job of backing up data, so that paying a ransom is never considered.

"All organizations should assume they are in the crosshairs of
cybercriminals," said Bittner.

In addition, "all organizations should assume they are under some form
of attack and strengthen their cyberdefenses," he added.

"Any one system could be vulnerable to a momentary lapse in our
practices. After all, the attack vectors are there, and sometimes others will
find the vulnerability before we do,"said University of Maryland's Purtilo.

"Having experienced this once in the last year, it is difficult to
imagine why a competent administrator would allow the city to continue
operating a system that allowed an enterprise-wide loss due to a
single point of failure," he added.

To Pay the Ransom

Ransomware today isn't really that much different from the way barbarian
tribes in the ancient era would threaten to raid the frontier and
pillage a city unless they were paid off. The difference is that
instead of a physical attack, ransomware is a digital one, and some cities have
given in.

However, the consensus among security pros is that when under such an attack, paying the ransom should never be considered -- not even as the last course of action.

More worrisome is that if the ransom is paid, that could entice hackers to try again.

"If the business paid before and has not addressed security
vulnerabilities -- yes, they will be targeted again. This is low-hanging
fruit for hackers," said Vergara.

Still, it might be the only option in some cases.

"There are some cases where payment is not only the fastest path to
recovery, but the far more cost-effective choice," admitted Adam Laub,
senior vice president of product management at
Stealthbits Technologies.

"It totally depends on the situation; if your data is really valuable
and there are no other copies to fall back on, then you might have no
other choice than to pay up," he told TechNewsWorld.

This is why ransomware has continued to be an effective weapon for
cybercriminals looking to make a quick buck and wreak havoc while
doing so.

"Conversely, if you've done a good job of backing up at least your
most meaningful data, then it might be perfectly acceptable to lose
whatever's been compromised," suggested Laub. "It's so effective because it elicits desperation from its victims,
and desperate people do desperate things."

Given that this is the second attack on one target, it could be that
lightning is unlikely to strike a third time -- or hackers, as the case may be.

"There's too much attention on the city of Baltimore at this point for
there to be a continued barrage of attacks," Laub explained. "It'd
likely be too risky for the attackers."

Future Attacks Likely

The sad truth is that ransomware attacks are likely to continue. It's not just that many cities still rely on older hardware and software. Even when systems are
replaced, legacy devices leave vast holes for hackers to exploit.

Corporations and large government agencies will be able to plug the
holes, but many large U.S. municipalities will be unable to address
potential exploits.

Whether a successful defense can be mounted may depend on the type of organization targeted, said OneSpan CMO John Gunn.

"A business can respond immediately and invest in additional IT
security tools to prevent the type of attack they just experienced,
whereas a government agency may take months or even years to get
approvals and budget to buy new security tools, all the while being
exposed to similar attacks," he told TechNewsWorld.

Even new systems and a complete network upgrade might not be enough to
keep the digital barbarians away.

"There are so many complexities and moving pieces. It's hard to
imagine a public institution that's likely to be poorly funded being
able to make many meaningful strides towards a solid security posture
in a short period of time," warned StealthbitsTechnologies' Laub.

Still, the fact the Baltimore has been targeted twice suggests the city
didn't learn its lesson.

Peter Suciu has been an ECT News Network reporter since 2012. His areas of focus include cybersecurity, mobile phones, displays, streaming media, pay TV and autonomous vehicles. He has written and edited for numerous publications and websites, including Newsweek, Wired and FoxNews.com.
Email Peter.